Password Policy

Description of the password policy.

The password policy is strictly enforced and is not designed to be downgraded. Passwords must comply with the following requirements.

People Import integrations continue to run and import user accounts with the existing passwords, even if the passwords are shorter than the minimum number of characters. However, when passwords do not comply with the password policy, users are prompted to change the passwords to comply with the password policy when they log in for the first time even if Require Password At Next Login is not checked.

  • A password must contain alphanumeric characters, at least 1 uppercase character, at least 1 lowercase character, and at least 1 special character (special characters include @ . _ + - ! # $ ' ^ ` ~) and be the Minimum length or longer.

    Example acceptable password: AYWzwmQX$Y4M3Dy (but don't use this example).

  • Reuse Monitoring = The 24 previous passwords cannot be reused. You cannot turn off or edit this option.
  • The password must not contain any of the following — User names, spaces, and words from the forbidden password list.

    Example forbidden passwords: MyUsername, password password, MyStrongPassword.

  • Minimum length: The shortest acceptable password length.

    Minimum (default) = 8 characters.

    Maximum = 64 characters.

  • Maximum consecutive identical characters = 4 (maximum and default) identical characters in a row that passwords can contain.

    Example forbidden passwords include the following: aaaaa, nnnnn, xxxxx, 00000, 66666, 99999.

  • Maximum sequential letters or numbers = 3 (maximum and default) sequential letters or numbers that passwords can contain.

    Example forbidden passwords include the following: abcd, defg, wxyz, 1234, 5678.

  • Expiration Frequency — The number of days after which passwords expire, and users must change their passwords.

    • Value = 180 (maximum and default) or fewer days. You cannot turn off this option.

      Caution:

      If a user account is used for system-to-system API calls — such as for integrations — password expiration can block API calls and prevent integrations from running. To avoid this, convert the user account to API Only User in People Information; see the Employee topic. Your FAP must have API-only user set to Allowed; see the Manager - Common Setup ACPs topic. Once the account is API-Only, it supports only API calls, and you cannot use it to log in from a browser or mobile app.

  • Account is locked out for inactivity — The number of days of inactivity before the system locks the account.
    Note: User accounts that use Federated Authentication are not locked out because of inactivity. For more information about the types of authentication, see the Authentication topic.

    You cannot turn off this option but you can edit the following:

    • Inactive existing user accounts = 180 (maximum and default) or fewer days.
    • First-time login = 30 (maximum and default) or fewer days.
      Note: To avoid locking accounts during setup, set the User Account Status to the effective, active date of the accounts.
Note:

You can make only limited adjustments to the password policy as follows:

  1. Select Main Menu > Administration > Application Setup > Access Profiles > Logon Profiles.
  2. To change the minimum password length and other log-on settings, see the Logon Profiles topic.